System and method for securing tenant data on a local appliance prior to delivery to a SaaS data center hosted application service

ABSTRACT

An extensible servicing hosting platform is provided that supports the design, build and concurrent deployment of multiple web accessible services on a services hosting platform. The services hosting platform comprises a services hosting framework capable of hosting multiple service applications, each of which may be shared by multiple tenants that each customize their use of a particular application service by extending the application service to exploit run time platform services within a service execution pipeline. The services hosting framework may easily be leveraged by applications to decrease the time associated with developing, deploying and maintaining high quality services in a cost effective manner.

FIELD OF THE INVENTION

This invention relates generally to networked computing systems and moreparticularly to a Software as a Service (SaaS) architecture.

BACKGROUND OF THE INVENTION

Software as a Service (SaaS) has recently grown in popularity as a lowcost way for businesses to obtain the benefits of commercially licensed,internally operated software without the complexity and cost typicallyassociated with obtaining and maintaining the software. SaaS is asoftware delivery model which makes software applications available tocustomers via the internet. The software applications are hosted andoperated by the software developer (or a third party), for use by thecustomer. Revenue is paid to the software developer for the use of theapplication by the customer, rather than for the ownership of theapplication. SaaS thus enables customers to outsource businessprocesses, such as backup and recovery or other services, to increasethe availability, reliability and cost effectiveness of administrationof the services.

SaaS offerings are generally commercially available applications, (i.e.,not customized) that are accessed via the web-based applications thatare delivered via standard Internet Browser and mobile browsers clientas well as web based application programming interfaces that areintegrated into customer's applications. SaaS applications are typically‘hosted’ from a centralized location rather than at the customer sitesvia remote customer accesses. SaaS vendors typically use a multi-tenantarchitecture where multiple different tenants each execute the samesoftware that processes their tenant owned data. Centralized managementof a SaaS application permits centralized feature updating, therebyremoving the need for downloading of patches and upgrades. Examples ofpopular SaaS applications include Customer Relations Management (CRM),video conferencing, accounting and email services. In general currentlySaaS vendors support the delivery of a single application as a SaaSrather than providing a platform that can deliver and host multipleapplications as software as a services.

The SaaS business model is an evolution from the Application ServicesProvider (ASP) model and overcomes several problems of the ASP model. Inan ASP business model, a service provider obtains a commerciallyavailable application and hosts the application for customers bygenerating a unique application instance that is dedicated to supportingthe particular customer. Although the ASP hosts the applications, theapplications are typically authored by third party applicationproviders.

One problem with the ASP model is the difficulty associated withsupporting the third party software because the ASP would not typicallyhave the expertise to support the third party offerings. In additionbecause the ASP architecture generates separate application instancesfor each customer use, delivering patches and upgrades to the customersis a non-trivial task. Supporting and maintaining the separateapplication instances makes it difficult to effectively scale an ASPsolution.

The SaaS architecture overcomes scalability and maintenance issuesthrough the use of one software application, for which maintenanceupgrades can be made instantly available across the entire customerbase. However, the advantages of the SaaS system can also be viewed asdrawbacks; while the SaaS model allows a software application to beviewed as a commodity that is available to all customers, it can't beignored that each customer will have differing needs which may be bettersuited by customization of the software application. In addition thecentralized management of applications and data across wide customerbases may cause security concerns for customers. Accordingly, it wouldbe desirable to identify an architecture which would realize thebenefits of the SaaS architecture while enabling a degree ofcustomization and an assurance of security and privacy to the customers.

SUMMARY OF THE INVENTION

According to one aspect of the invention, a method of securing tenantdata prior to transferring the tenant data on a storage medium to a hostdata center includes the steps of generating a custom key for thetenant, encrypting the tenant data using the custom key, encrypting thecustom key using a public certificate of a Vault Service provided by thehost infrastructure, storing the encrypted custom key and the encryptedtenant data on the storage medium and transferring the storage medium tothe host data center.

According to a further aspect of the invention, a method of securingcustomer data at a host platform includes the steps of generating acustomer key, generating an index of the customer data, encrypting theindex using a public key, encrypting the customer data using thecustomer key to provide encrypted customer data; and forwarding theencrypted customer data together with the encrypted index to the hostplatform to enable the host to decrypt the encrypted index using thepublic key and manipulate the encrypted customer data using thedecrypted index.

According to another aspect of the invention, a host platform includes astorage device for storing encrypted customer data and an encryptedindex to the encrypted customer data, wherein the encrypted customerdata and the encrypted index to the customer data are encrypted usingdifferent keys and a computer readable medium having program code storedthereon operable when executed by a processor of the host platform toprovide a service to a customer associated with the encrypted customerdata using the decrypted index of the customer data.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates a variety of functional modules which may be providedas part of a service platform architecture of the present invention;

FIG. 2A illustrates a subset of components 100 that may be included in aSaaS host of the present invention;

FIG. 2B illustrates an exemplary request service pipeline and responseservice pipeline that may be associated with a service instance;

FIG. 3 is a functional flow diagram providing a high level view ofexemplary steps performed during tenant authentication and registration;

FIG. 4 is a block diagram of a storage network deploying a serviceframework of the present invention;

FIG. 5 illustrates exemplary components of a Tenant Lifecyle Management(TLM) data model that may be used to manage tenant data for tenants ofthe Services hosting platform of the present invention;

FIG. 6 illustrates an exemplary Application Invocation Framework (AIF)of the present invention;

FIG. 7A illustrates exemplary modules that may be included as part ofthe client drivers and host driver associated with the applicationservices hosting framework;

FIG. 7B illustrates an exemplary client service invocation pipeline thatinvokes several client side handlers;

FIG. 8 illustrates an alternate perspective of the Services hostingplatform of the present invention; and

FIG. 9 illustrates a request and response service pipeline which may beassociated with a web service supported by the Services hosting platformof FIG. 1;

FIG. 10 illustrates exemplary modules that may be provided in anauthentication process of the host security service;

FIG. 11 illustrates exemplary components that may be included in clientagent and host agent drivers to support a key generation anddistribution service of the present invention;

FIG. 12 is a diagram of a logical routing service that may be providedas an infrastructure service for assisting other services that executeon the host infrastructure;

FIGS. 13A, 13B and 13C are flow diagrams provided to illustrateexemplary steps of performed in several processes for securing datatransferred on an appliance using services of the present invention;

FIG. 14 illustrates an exemplary host infrastructure in which theservices hosting framework of the present invention may advantageouslybe employed;

FIG. 15 illustrates an exemplary embodiment of the Services hostingplatform of the present invention adapted to offer an extensibleservice.

DETAILED DESCRIPTION Definitions

In the below description, certain terms shall be defined as follows:

An application service comprises program code associated with one ormore services that can each be invoked over a Internet using a publiclyexposed Application Programming Interface (API). Application servicesinclude host services developed by a host provider and hosted on theplatform, partner services developed by a third party via a suite andhosted on the platform, and extended services comprising third party ISPservices that extend existing host services and are hosted on theplatform.

A host is an entity that supplies a service to a tenant.

A host infrastructure includes hardware and software provided by thehost for use by the tenant. Multiple tenants may have simultaneousaccess to the host infrastructure.

A platform service includes re-usable service provided by the platform,infrastructure services and security and privacy services. Platformservices may be either directly accessed by a tenant or invokedinternally by application services.

A service is a unit of work performed by the host for the benefit of oneor more tenants utilizing the infrastructure of the host. A service mayrange from an application service that is typically invoked or exploitedby a tenant such that the service is effectively outsourced to the hostto cost-effectively exploit the reliability, security and otheradministrative capabilities of the host. The service may also comprise asecurity and privacy service that may be layered upon any hosted servicesuch that the resulting combined service provides enhanced capabilitiesaround privacy, business continuity and security.

Software as a Service (SaaS) shall be defined as software deployed as ahosted service and that can be accessed over the Internet.

A tenant is a customer of the host such that the tenant subscribes toservices provided by the host. Each tenant may include one or more users(also referred to herein as ‘clients’).

Application Services Hosting Framework

According to one aspect of the invention an extensible Software as aService (SaaS) platform is provided that supports the design, build andconcurrent deployment of multiple web accessible services on a serviceshosting platform. The services hosting platform comprises a serviceshosting framework which may be shared by multiple tenants, each of whichmay customize their use of a particular application service by extendingthe application service to exploit run time platform services within aservice execution pipeline. The present invention thus provides asignificant advantage over prior art SaaS architectures, where customerssharing the same code base for the application service run time couldnot dynamically modify the application behavior and the applicationconfiguration was not customizable.

The present invention also provides a significant advantage over typicalSoftware Oriented Architectures (SOA). In general there are two types ofSOA technologies available today; those that are commercial products andare designed for enterprise customers where the data and applicationsthat were being managed by SOA platforms resided locally in theenterprise. In such systems the security of a customer's data wasgenerally accomplished by limiting the exposure of the data locallymanaged by the SOA platform. A second form of SOA is used by serviceproviders such as Yahoo, MSN and Google to provide services to thepublic via the Internet. Such service offerings allow tenants tocost-effectively use the resources of the service provider. One problemwith such services is that they do not fully guarantee tenant contentprotection, rather each publicly accessible Internet service shares someunderlying content in the Internet community. For example, to use a saleservice provided by Amazon.com results in a sale being extended to allInternet users that access the site; there is no way to restrict theoffer to sell to a particular audience. Similarly, messaging servicesavailable from Yahoo do not include the ability to protect message datafrom distribution to particular members within a group; rather, anymember that registers for the group may access the message.

In contrast, the present invention allows customer data to be securedeven when exposed to application services that are hosted over theInternet through selective addition of security and privacy services toenable delivery of applications as secure services to multiple tenants.In essence, the present invention provides a virtual private Internetenvironment for multi-tenant service delivery; content and applicationprotection, privacy and security previously found in locally managed SOAtechnologies augments an Internet coupled services framework, whichleverages the reliability, 24/7 accessibility and flexibility ofInternet service offerings, to provide a cost effective, reliable,monetizable and secure services host platform.

As will be described in more detail below, security and privacy servicesfor application and data are not the only host services which may beleveraged by applications; rather the services execution pipeline forany application may be augmented with any one of numerous servicesoffered as part of the services host platform, including but not limitedto use case independent usage tracking, problem detection and root causeanalysis services, and various other administrative, management andmonitoring capabilities. The addition of such services allows anyapplication service to incorporate an automated method for detectingerrors and tracking usage in real time. In a services host platformimplementation wherein thousands of tenants may share access toapplications and infrastructure, the ability to track usage and detectproblems in real time is crucial to maintaining system resiliency; theability of the present invention to provide this capability is asignificant advantage that has not been provided by any of the known SOAsystems that can be used for building, deploying and deliveringapplications that are available over the Internet 24/7.

The services hosting framework thus exposes a variety of platformservices to any application service, whether provided by the hostservice provider or developed by a third party and hosted on by theservices host platform in a secure, reliable and extensible manner.Providing such a framework which makes re-usable platform servicesavailable to third party applications, monetization of the platformservices may easily be realized.

The service framework is are exposed to tenants via web based APIs, andweb based application components, and the services. Furthermore theservices offered by a platform may be dynamically extended to includethird party application services by modifying the set of APIs andapplication components that are exposed to the tenants. An applicationcomponent is a small application function that is made accessible viaweb based pages that can be downloaded to a browser client). Componentsmay themselves call web based APIs. Application components are deliveredas part of web based pages. Examples of application components that aredelivered via web based pages include TLM, which may also be deliveredvia web based APIs. Examples of TLM APIs include AddUserProfile,GetUserProfile, AdminPolicyConfigure, etc.

Exemplary application services provided by an extensible Serviceshosting platform such as that of the present invention include, but notare limited to, Information Technology (IT) services (such as backup andrecovery, archiving, generic storage.), information management services(such as compliance services, litigation services, etc.), customerrelation services, Enterprise Content Management (EMC) services (such asHR applications that manipulate corporate records) and the like. Inaddition it will be appreciated that the extensible nature of theservices host framework may be adapted to integrate any type of serviceinto the platform, and thus the present invention is not limited to anyparticular service offering but rather may be used to provide a holisticservice solution to customers.

Certain platform services (such as security and privacy services) may beused both as web accessible services via exposed APIs, or may be invokedby other platform or application services using internal APIs. As aresult, customers can utilize the services host framework to obtain awide array of high quality services that they have been heretoforeunable to obtain due to equipment cost and management complexity, whilethe host can obtain monetary remuneration for both the base services andany service extensions.

As will be described in more detail below, the extensible nature of theservice execution pipeline enables tenants to protect both applicationsand data by layering security and privacy services (key managementservices, ID verification services) and business continuity services ontop of their existing application. A further advantage of the Serviceshosting platform of the present invention is that the web-basedinterface of the Services hosting platform allows services to beaccessed by a wide range of geographically diverse customers, fromindividual consumers to small, medium and large enterprises.

FIG. 1 illustrates various logical components of the extensible serviceshost platform of the present invention deployed as part of a storagehost infrastructure. The architecture is a multi-tiered architecturecomprising a data tier 40, services tier 42 and business tier 44. Ingeneral the data tier comprises components specifically associated withthe host infrastructure. The business services tier includes thoseservices which may be directly accessed by tenants via the Internet,(also referred to herein as internet accessible application services orweb services) and can also be viewed as revenue generating services ofthe host. The services tier includes those services which interface thebusiness tier with the data tier. It should be noted that althoughcertain services may be described herein as part of certain tiers, it isnot a requirement of the invention that any particular service berestricted to inclusion in a particular tier.

A tenant may access the application services via an internet accessibleportal 11. Web services may include those associated with Host Services2, Partner Services 3 and any dynamically incorporated services (such asExtended service 15). Host services are SaaS centric applications thatare developed, maintained and hosted by the host. Partner services aredeveloped and maintained by a third party application service providerfor example an ISP, such that those applications are hosted on the SaaSservice at the host data center. The Host Services may include servicesprovided by the Host Infrastructure (such as, in the example of FIG. 1,Backup and Recovery, Archival, generic storage, Enterprise ContentManagement, etc.)

According to one aspect of the invention, Host Services may include oneor more Security and privacy services 22 which can be used to supporttenant security and business continuity in an application independentmanner. Security and privacy services include services that can be usedto protect content accessibility such as authentication andauthorization services, encryption services, business continuityservices and Key Management services. Content accessibility can beprotected by maintaining confidentiality of customer content at theservices host platform using an encryption key as well as controllingaccess to the content and access to applications that use the content.Examples of services that benefit from security and privacy servicesinclude secure backup services, mail archiving services which providecontinuity in the event of tenant equipment failure, etc. The securityand privacy services differ from conventional Host services in that,although they may be directly invoked using abstracted APIs by tenants,the security and privacy services may also be invoked by other Host,Partner and Extended services.

A Partner service is developed, deployed and maintained by the partnerusing tools 50. The Partner service can be developed and deployed by thepartner at the partner site, or at the Services hosting platform datacenter, and is hosted by the Services hosting platform. The Partnerservice may be integrated into the platform offering via the partnerservices extensions 52, integration services 35 and portal 11. Platformcomponents may include APIs that may be used by third-party PartnersApplications to access the common platform components. Third-partyvendors can be provided with an SDK to develop their own serviceextensions to work along side the platform components.

The extended services element represent new services socket that may beused to incorporate services that are not supported by the base set ofservices offered by the platform but which are well suited for migrationto the services host framework, and may subsequently added to theframework by exposing an API for the extended service to tenants. Anexample of such an extended service is as any service which involvesdata exchange over the Internet (for example, an email managementservice).

Web service APIs are managed by the web services API platform 12. Theweb services APIs may be implemented using protocols such asRepresentational State Transfer (REST) or Simple Object Access Protocol(SOAP) or the like, but essentially the API includes a Uniform ResourceLocator (URL) to the program code associated with a handler for theassociated service. In one embodiment, the APIs associated with a givenweb service are downloaded to the tenant when the tenant registers for aservice. As a result, applications may be exposed to tenants viacoarse-grained APIs that provide a small foot-print download for aweb-based application, thereby minimizing the round-trip delays andpayload size and increasing the performance of delivering the servicesto the client.

Thus the services hosting framework 14 controls the implementation,deployment and exposure of services to tenants, for example by linkingapplication service handlers with service resources from an availableservice pool.

A base set of platform services 24 may include one or more re-useableplatform services such as tenant lifecycle management (TLM), CustomerSupport (CS) order management, Service Level Management (SLM), ticketmanagement, billing, and other development and deployment services suchas registration, service provisioning. The platform services are exposedto web services via the services API platform 16. A service interfacerepository (not shown) may be provided to support access and versionmanagement of services that execute on the platform.

Infrastructure services 22 include services that are related to theparticular host infrastructure and are meant to be re-usable acrossdifferent endpoint application services; according to one aspect of theinvention, the infrastructure services include an event loggingframework 41, a problem detection/root cause analysis (RCA) component43, a messaging engine 45, a logical routing service 46, a policymanagement engine 47 and a content/object repository 49. In general, theinfrastructure services are not directly accessible to the tenant viathe APIs, but rather are invoked by the security and privacy services 23and platform services 24, or directly by handlers in the serviceshosting framework. As will be described in more detail below, a clientcan customize a web service by selective linking of platform,infrastructure and security and privacy services to an applicationservice handler in an extensible service pipeline.

In FIG. 1 an exemplary host infrastructure associated with data tier isshown to include a scalable storage backend 36, a scalable server farm38, an Enterprise Services Bus (ESB) 34 and infrastructure services 22.The storage backend 36 and server farm 38 represent exemplary hostequipment. The ESB 34 is an event-driven standards based messagingengine that communicates with the server farm 38 and scalable storage 36using their respective protocols.

Other components which may be included in a services host platform of tothe present invention include an application plug-in adapter 16 whichenables integration of back end legacy applications to the Serviceshosting platform, by translating SaaS requests into the protocol of thelegacy application or storage back-end device. A resource management andorchestration module 32 coordinates the generation, deployment,monitoring and maintenance of the host, platform and partner services totenants using the host infrastructure in a manner consistent with theservices hosting framework.

Accordingly, the services hosting framework includes an applicationservices platform services. The platform services can be viewed as aservice pool which may be used to customize, secure, monitor orotherwise enhance host, partner or extended application services. Onebenefit of providing a set of services that may be re-used in thismanner is that it removes the need for individual host or partnerapplications to create and maintain the respective platform,infrastructure or security and privacy services while allowing both thehost and partners to provide a richer service set to the customers in acost effective manner without compromising customer content and/or ITsecurity policies. Various services, including IT, security, transport,and messaging services become abstract components that may be re-used toadd richness to any other service.

With such an arrangement, the Services hosting platform of the presentinvention provides a use case independent request processinginfrastructure via light-weight, API oriented services hostingframework. Several advantages of such a structure include its abilityto: a) exploit a re-usable, application-level authentication handler(and also retrieval of authorization data) for security token generationand use across multiple application services, b) exploit a re-usable,centralized, use-case independent usage tracking handler and c) exploitHTTP (and SSL) transport handlers via open-source, commodity, highperformance servers.

FIG. 2A illustrates a subset of components 100 that may be included in aSaaS host of the present invention. A portal 101 permits access to theServices hosting platform services by coupled tenants. In oneembodiment, the portal is an application that operates on a web browserand is accessed over the interne by the tenant. The portal is linked toa library 105 of services provided by the services host framework. Asdescribed above with regard to FIG. 1, the service library 105 includessecurity and privacy services 122, host/partner/extended services 102,platform services 103 and infrastructure services 104. It should benoted that only a representative set of each of the services has beenshown for purposes of clarity. Thus security and privacy services 123are shown to include an Identification service,Authentication/Authorization service, Key Management service, etc. Theplatform services 103 are shown to include Tenant Lifecycle Management(TLM), billing, SLM and Order Management services, etc. Theinfrastructure services are shown to include Event logging services,Root Cause Analysis (RCA) services, policy management services andrepository services, etc. The services in library 105 may be documentstyle web services, written, for example, in XML as REST style API basedservices. The platform services are exposed to host/partner/extendedservices via programmatic APIs that are encapsulated within an abstractservices hosting framework. The programmatic APIs can be directlyinvoked by end-point application services. Platform services may includelegacy services and other services that are coded by other means.Interfaces to such services can be provided via plug in adapters asdescribed in FIG. 1.

According to one embodiment of the invention, a tenant accesses aservice by registering with the host. The particular steps taken toinvoke a service will be described in more detail with regard to FIG. 4.However, according to one aspect of the invention authorization checksneed to be carried out as part of processing requests for all services.Authentication is generally performed by a use case independentauthentication handler. Thus, for each service two types of APIs may beexposed to a tenant; an authentication URL to which authenticationrequests are submitted and tokens are minted and returned to the callingclient, and the application service API associated with the applicationrequest. Applications may require that requests be submitted with avalid token received via the authentication API associated with theapplication API. The token may be used to authenticate the requestor'scredentials and access rights with regard to a particular service.

In one embodiment, the authentication service is hosted on a logicallyseparate host, referred to herein as the authentication server, althoughthis is not a requirement of the invention. The application service maybe hosted on a logically or physically separate host. In one embodiment,the authentication service may be directly accessed via the applicationservice; in alternate embodiments, the application service disables theauthentication service during run time execution, and uses a tokenvalidator to validate tokens during run time.

FIG. 3 illustrates several components of a system comprising a client150 coupled to a Services hosting platform including an authenticationserver 160 and an application server 170. The authentication server 160includes a token minter 162 and RSA plug-in module 164 whichcommunicates with a security module 180 (comprising, for example; an RSAAccess Manager module and Lightweight Director Access Protocol module)during token generation. The application server 170 includes anauthentication token validator 172, generic usage handler 174 (which maybe used to monitor certain statistics regarding application usage asdescribed in more detail below) as well as the service handler 176. Theservice handler may invoke one or more tenant associated sessions, suchas a synchronous application service 190 or a process-orientedapplication service 192.

An authentication request is forwarded by the client, at step 1001, togain access to or otherwise register for the service. In one embodiment,the authentication request includes a message header and payloadcomponents, such as <H1:Timestamp><Credential>, where the credentialprovides information regarding the authority of the particular client toaccess the service. The credential thus may be selected from a groupincluding, but not limited to, a group identifier, a user identifier, anadministrative domain, etc. In response to the authentication request,an authentication response if returned to the client in the form of:

<H1:Timestamp><Token><Error><Duration>

Where H1 is the header, the timestamp field indicates the minting timefor the token in the token field, the token is used to authenticate theclient's ability to access the service, the error field includes anerror code, returned, for example, when a token is not returned, and theduration field identifies a duration period during which the mintedtoken is valid.

Each token may have the following elements:

 <Token Signature> <Token Attributes> <Expiration Time> <Tenant ID>:UUID <User ID>: String <Group ID1, Group ID2, ... Group IDN> : Array(string) <RSA Security Token> :[Encrypted Data]

With such an arrangement, particular tokens may be associated withspecific roles and group as part of an authentication process. Uponreceipt of the token, at step 1002 the client 150 forwards theapplication server a service registration request. In an embodimentwhere authentication is performed as part of the service registration,the service registration request may have the form:

<x>Service Request<H1:Timestamp><Credential>

And the response may have the form:

<x>Service Response <H1: Timestamp><Token><Error><Duration>

Thus, prior to the actual invocation of the service, the user isauthenticated and a token is returned to the user. The service requestmay also include selectors indicating which of the platform servicesthat the client wishes to include as part of the host service instance.

In FIG. 2, after a token is received by the client, (either as part ofan authentication process or as part of a registration process describedabove), if it has not already done so, at step 1002 the client 150issues a service registration request that includes the token. The tokenis validated by the token validator 172 and the service executionpipeline instance for the service is generated. As will be described inmore detail later herein, the service execution pipeline may include anauthentication handler which will validate the token provided duringregistration using the authentication server, the usage handler 174 andthe service handler 176. Depending upon the type of service, the servicehandler may invoke either a synchronous application service session(which is a short lived session for carrying out a distinct, short livedservice) or a process-oriented session (which is a long lived sessionfor carrying out a longer lived service, such as backup and recover,etc.).

One feature of the present invention is the ability of the Serviceshosting platform to perform Role Based Access Control (RBAC). Role basedaccess control ensures that only those users at the tenants havingdesired access attributes may utilize the program. To perform RBAC,certain authorization checks of the user should be performed. Tokenexpiration time, a tenant ID, a user ID, and group IDs information inthe token may be used to determine whether a user at a tenant ispermitted to access the particular service. An API may be included aspart of the Services hosting platform to check user Roles andCapabilities. The exemplary APIs shown below may be used:

API CheckROIES Input : User ID, Mode: Role, Capabilities set Output:(Role1, .... Role N) ∥ boolean API CheckCapabilities Input : Role Output: (Capabilities1, .... Capabilities N)

Associated with each service instance 106 are request and responseservice execution pipelines instances. The service execution pipelineinstances may include one or more pipeline stages, with at least onepipeline stage including the particular service handler associated withthe requested service, and the other stages of the pipeline beingdetermined according the particular platform, protection andinfrastructure services used to augment the application service. Theplatform services that are used to augment the service handler may beselected by the hosting application service provider or, in oneembodiment, selected by the tenant. For example, a tenant may selectfeatures of a service using the web browser during tenant registrationwith the host. As a result, tenants have the ability to configure andcustomize the delivery of their host service experience.

FIG. 2B illustrates a generic request service pipeline 120 and responseservice pipeline 122 that may be associated with a service instance.Each pipeline includes a request or response service handler associatedwith a type of the service requested, as well as any additional platformservices or infrastructure services (not shown) that are selected by thetenant or utilized by the application service. As will be described inmore detail below, an example of an infrastructure service that may beincluded in the service pipeline is a logical routing service. Theservices performed by the stages of the execution pipeline of a serviceinstance may be ‘linked’ using Aspect Oriented Programming (AOP)techniques.

The configuration of a service execution pipeline can be determined inresponse to a type of the web service and service instance specificpolicies stored in a service registry. For example, a specific policymay require the use of a specific authentication and authorizationhandler or an encryption/decryption handler for encoding/decoding indexdata. A more detailed discussion of particular configurations of serviceexecution pipelines is provided below with regard to FIG. 7.

FIG. 4 is a block diagram of a storage network deploying a serviceframework of the present invention. The network comprises a client tier210, a service tier 250 and a data tier 280. The client tier includesone or more devices capable of communicating with the service tier usingthe IP protocol. The client tier devices may be geographicallydistributed from the service tier, data tier and each other. The clientsinclude both clients associated with the same tenant as well as clientsassociated with different tenants, and thus the service framework anddata center are referred to as multi-tenant. Although client tierdevices may communicate using a different communication media, eachincludes the capability to exchange hypertext documents with the servicetier over an IP network. The client devices may implement the HypertextTransfer Protocol (HTTP) or HTTP Secure (HTTPS) application layerprotocol to exchange the hypertext documents with the service tier.Examples of client devices are shown in client tier 210 to include alaptop 202, desktop 204, server 206 and mobile client 208. Each clientdevice may incorporate a different operating system (Windows, WindowsXP, LINUX, Mac OS X, J2ME, Windows CE). Using a public API basedmessaging protocol, the client tier can exploit various applicationsthat it is subscribed to.

A firewall/router 262 may be disposed in a communication path betweenthe service tier and the client tier. In various embodiments thefirewall/router may include functionality to support one or moreplatform services. Examples of infrastructure services that may besupported at the firewall/router 262 include intrusion detection, loadbalancing and Secure Socket Layer (SSL) control (termination,off-loading, etc.).

In the embodiment of FIG. 4 a data tier 280 includes one or more storageservers (294-298) each comprised of one or more control nodes and datanodes. The servers may be coupled to the service tier via an IP networkexecuting a layered file server protocol such as Networked File Server(NFS) protocol or the like. A firewall 264 is advantageously disposedbetween the service tier 250 and the data tier 280 to further secure thedata tier 280 against malicious access.

The service tier 250 is a web addressable data center comprised of acombination of hardware and software element including services,databases, routers and firewalls. The services include platform andinfrastructure services 270 and an application service pool 250comprising, for example, host/partner/extended services described above.

Each application in the server pool comprises software programs thatimplement services. In one embodiment, the software application iswritten as a SaaS servlet which operates in a web-browser environment.The SaaS servlet may be built and deployed using Apache/Tomcat runningon JBOSS (or as Java Virtual Machine). SaaS servlets are statelessapplications that can fulfill multiple requests from multiple tenantsvia request specific execution threads. Thus application services can beinvoked via public APIs (REST or SOAP) that are processed by the APIframework which receives client requests through the SaaS servlet.

Tenant Lifecycle Management

Although multiple clients are shown in FIG. 4, it can be appreciatedthat the clients may be associated with one or more tenants. TheServices hosting platform of the present invention is a multi-tenantarchitecture in which customers share some or all layers of the stack.Multi-tenancy can apply to: 1) the application layer only; 2) theapplication and server/processing layers; or 3) the application,server/processing, and database tiers.

Appropriate delivery, monitoring and billing of services by tenants isaccomplished through the use of a Tenant Lifecycle Management (TLM) datamodel. The TLM data model enables application services to: propagatetenant-level account data to the billing systems, create/modify/deletetenant accounts, customize tenant policy by providing policy operationcodes for the tenant, define a hierarchical administration policy andprovide operational, environmental and monitoring support. FIG. 5illustrates an exemplary embodiment of a TLM core data model. For eachtenant/partner there may be defined roles 212 and capabilities 213 foreach of the roles. User/administrators may be associated with variousdevices 215, credentials 219, groups 218 and services 216. Each service216 may have one or more subscription attributes 217, and usage 220 maybe tracked on a particular service or subscription basis.

The TLM data model is use case and application independent, but may beleveraged to provide an application centric TLM model for each service.Certain APIs that may be associated with TLM, and which may be used topopulate elements of the TLM data model include an AddUserProfile API(for bulk user registration/profile upload), a GetUserProfile API (toobtain user registration data) and an AdminPolicyConfiguration API toconfigure (security, subscription, and application) policies for a user.

Applicant Invocation Framework (AIF)

Each client that accesses an application service using the servicehosting framework comprises an Application Invocation Framework (AIF)that is populated with a combination of external APIs, client stubs,client side handlers, and client side databases. The client may be ahardware network device, or may be a virtual client implemented usingsoftware.

An exemplary AIF architecture is shown in FIG. 6, embodied in a customersite appliance. The AIF comprises a client application agent 310, whichmay be comprised of plug-in modules, user interfaces and client-sidehandlers for supporting a service hosted by the services hostingplatform. As will be described in more detail below, the clientapplication agent 310 may be augmented

The AIF also includes a services framework 320 which stores one or moreclient stubs (322, 324, 326 and 328) for associated application servicesas well as a plurality of external APIs 330. The client AIF may alsoinclude APIs to services which are at least partially locally hosted atthe appliance, such as a local key access API, logging API, client DBaccess API, RSA Lockbox. An AXIS messaging engine 337 and an HTTP+SSLTransport Library 338 may be coupled to a client execution pipeline 340.The client execution pipeline comprises a message handler 342 and atransport handler 344 for communicating with the services hostingplatform. In addition, the client execution pipeline comprises one ormore abstract handlers comprising one or more APIs to the serviceshosting framework.

The AIF may use local storage on the appliance 300 to store databasesassociated with locally executed services. For example, the appliancemay include a local error logging database 351, coupled to the loggingservice which provides real time error logging. An SQLite relationaldatabase 352 may be provided to store service resource utilizationinformation. A lockbox database, such as an RSA client lockbox database,may be used to store key information provided by in response toinvocation of the RSA lockbox service using its API.

The particular APIs, stubs and client handlers that populate each clientappliance may differ, and may be obtained from the host servicingplatform via a variety of different techniques. For example, the clientmay have obtained client software from the services hosting platformthat includes information regarding exposed APIs that are used to invokea service. In an alternate embodiment, the client may access theservices hosting platform via a web browser; a web page associated withthe services hosting framework displays service options to the clientand downloads web pages on the client which included imbedded UserInterfaces (UI) components (also referred to as widgets) which may beused to invoke service APIs via browser level interactions. In anotherembodiment as part of the registration process a thin client agent isdownloaded to the client. The thin client agent may include one or moreabstract handlers that include one or more APIs that augment the AIF ofthe client.

Whichever manner is used to provide the particular APIs that enable theclient to access services of the services hosted framework, invocationof the respective services may be made via the authentication service362, or directly to the hosted service 366 using a valid token.

The client appliance 300 is shown coupled to the services hosting datacenter 360. In FIG. 6 an authentication service 362, remote monitoringand logging service 364 and a hosted service 366 are shown by way ofexample. According to one aspect of the invention, the remote monitoringand logging service provides pro-active detection and repair of clientproblems which are logged at run-time via the logging API 334 of theclient. For example, software upgrade failures or errors between clientand the hosted application service are logged as they occur in thedatabase 351. Error information may be propagated to the serviceshosting data center 360 via a report feedback path 371 using AXIS orother web messaging techniques. The remote monitoring and loggingservice, 364, upon notification of the issue with the client,selectively provides corrective actions, software updates and/orreconfiguration feedback to the client, for example in the form of apatch, updated client stub, or other handler to quickly resolve theservice issue.

FIG. 7A illustrates an exemplary implementation of the client appliancearchitecture shown in FIG. 6, and is used to discuss, in more detail,the roles of a tenant administrator and the use of client side handlers.

In an embodiment where the services hosting platform forwards a thinservice client application to the tenant, the thin client may includeone or more client handlers. The client handler comprises pre-configuredprogram code, customized for a particular tenant, which enables theclient to locally execute at least a portion of the associated webservice. The determination as to whether to implement a portion of aservice at the SaaS data center or locally at a client is largely amatter of design choice. The decision to pre-configure and distribute aclient handler occurs in a manner that is consistent with anadministration policy of the tenant's organization. Examples of servicesfor which client handlers may be generated and deployed include but arenot limited to encryption services, compression services, indexingservices and data de-duplication services.

FIG. 7A illustrates exemplary modules that may be included as part ofthe client drivers (400, 420) of the AIF and host driver (440)associated with the services hosting framework. The client driversinvoke various administrative and account management functions to managethe services offered by services hosting framework.

The drivers thus include the ability to perform admin and accountmanagement functions via local Client User Interfaces (UI) clients 422or via a Web-based admin and account management application 402. In FIG.7A, client 400 illustrates drivers for an administrative client of thetenant, while client 420 illustrates drivers that may be provided in auser client of the tenant.

The administrative client 400 executes a web browser including anadministrator and accounts management web page. In one embodiment, theadministrator can be used to enforce the policies of the tenant, forexample through authentication and authorization of the users andselective key distribution to users. The administrator may also controlthe delivery of service schedules to the tenant users.

As shown in FIG. 7A, the Application Invocation Framework 425 (shown indashed lines) includes client drivers such as a scheduling module 424,one or more plug-in adapters 426, as well as client side handlers 429and a database of service associated external APIs 427. The schedulingmodule 424 may be used to store and execute the schedules associatedwith various client services (for example, to schedule a backup andrecovery operation). The client plug-in adapters 426 include code thatmay be used by the client to precondition data for use on the hostinfrastructure. The application invocation framework 428 feeds theclient service execution pipeline with one or more entry points and/orREST APIs that enable the client to invoke the web-services offered bythe host. The entry points/APIs may be entry points and APIs to theservices hosting framework, or alternatively may include entrypoints/APIs to locally stored service handlers, referred to herein asclient side handlers 429.

According to one embodiment of the invention, the client side handlerscomprise OS/platform independent run-time program code which permits theclient to locally execute one or more functions associated with a webservice. The client side handlers are deployed by the services hostingplatform to the client when the client registers for a web service in amanner consistent with the policy of the tenant. Examples of clienthandlers include, but are not limited to, program code forencryption/decryption, compression/decompression, indexing andde-duplication.

It should be noted that the client side handlers may include entrypoints or APIs to the services hosting framework. For example, a clientside encryption handler may access an encryption key for a tenant usinga secure lock box service of the services hosting platform.

The application invocation framework is thus a low footprint databasefor storing APIs and other data particular to services subscribed to bythe tenant, where ‘low footprint’ means that the amount of data thatneeds to be downloaded as the client agent is minimized.

Customization of the application services by the client may be attainedthrough local customization of the client agent (for example, byaltering backup schedules, etc.). Other customizable aspects of a clientdriver may include, but are not limited to, client side caching,encryption capability and policy management capability.

The client execution pipeline 428 thus provides, for each service, alinked list of one or more entry points to services host framework andclient side handlers. FIG. 7B illustrates one example of a clientexecution pipeline associated with a backup and recovery service. Aclient side indexing handler 462 calculates an index for data to bestored by the services hosting platform. After the index is calculated,a client side compression handler 464 compresses the data, and forwardsthe data to an encryption handler 464. The encryption handler 464 mayinvoke a service to retrieve the encryption key associated with thetenant from a lock box on the services hosting platform. Once the clienthas the encryption key, the encryption handler encrypts the data, andforwards the data and index to the services hosting platform by invokinga Backup and Recovery (BRU) service using a REST API call. As a result,data secured before it is forwarded over the wire, while still allowingthe services hosting platform to provide the backup and recoveryfunctionality.

FIG. 8 is another block diagram of a services hosting platform,illustrating several components that facilitate end to end message flow.For example, the services hosting platform includes a client tier 1100,a services tier 1120, a business tier 1130 and a data tier 1140. Theclient tier 1100 includes any tenant client, including web based clientsand application clients as well as remote and local clients. In essenceany client capable of communicating via the Internet with the servicetier 1120.

Depending upon the protocol of requests from the client tier, requestsmay be processed using either API servlets 1102 or SaaS servlets 1104and forwarded to one of an API framework 1112 or Widget framework 1114(where a Widget framework is a SaaS servlet related service library).Requests from the Widget framework are translated and forwarded to theAPI framework 1112, and used to identify the entry point to the webservice to retrieve the service instance from the business services tier1120.

As described above, the business tier 1120 may include a variety of hostservices, (such as admin/accounting services, backup services andrecovery services), but also new services 1122 may be linked into thebusiness tier 1120 by the services hosting framework. The ‘new’ servicemay be a SaaS service, or may be a legacy service, which is assigned anentry point by the services hosting framework, and invoked via the plugin adapter 16 (FIG. 1). To add a service to the business services tier1120, a services pipeline for the service is built by linking theservlets associated with the service handler and incorporatedplatform/protection/infrastructure services using AOP techniques. An APIis associated with the new service is then forwarded to the ApplicationFramework API to expose the service to the client/tenants.

Accordingly an extensible services hosting framework has been shown anddescribed that enables dynamic deployment of web-services that invokeservices from a re-usable multi-tiered service pool. One feature of theextensible services hosting framework lies in its rich set ofinfrastructure, platform and security and privacy services. The serviceset may easily be leveraged by applications to decrease the timeassociated with developing, deploying and maintaining high qualityservices in a cost effective manner. Several exemplary services that maybe provided as part of the services hosting framework will now bedescribed in greater detail with reference to a web service request andresponse pipeline.

Services Execution Pipeline

As mentioned above, the service execution pipeline is configurable. FIG.9 illustrates only a representative set of handlers that may be includedin the pipeline and is used as a springboard to discuss an exemplaryflow which includes several security and privacy services. Thus FIG. 9illustrates exemplary handlers that may be included in a respectiverequest and response service execution pipelines 600 and 650 forexecuting a web service associated with service handlers 610 and 654.

Authorization Service Handler

When a request is received from a tenant, an authorization handler 602is first used to verify that the tenant has the ability to access boththe service and the data associated with the service. A typical flowthat accesses the authorization handler to obtain tokens was describedabove in FIG. 3. According to one aspect of the invention, theauthorization handler is one of the security and privacy services whichis publicly exposed for use both by tenants and by application to securecontent.

FIG. 10 is a more detailed diagram illustrating exemplary services thatmay be invoked by an authentication handler of the present invention.Steps that may be performed in the authentication process, describedbroadly in FIG. 4, are indicated by numbered arrows in FIG. 10. At step751 the client sends a request with credential or cookie in HTTP/S. TheF5 firewall 704 Proxies authentication for client against the host SaaSServer 708 at step 753 to the SaaS server RSA Access Manager (AM) 706for authentication and passes the credential. At step 754 RSA AM 706authenticates client and returns an authentication token/session. Thetoken may be an HTTP encrypted token which will be available to theservice framework (i.e., will have a copy of RSA security token) and canalso be accessed on-demand (if needed) from the RSA Access Manager. Atsteps 755/755 a the SaaS server returns to client a F5 session (viafirewall 704) which gets dropped on user machine as a cookie (forbrowser client) or token for Application client.

In one embodiment, at step 756 SaaS server 708 accesses the RSAgenerated security token (of the authenticated user) and wraps (or“mints”) it into a Security Authentication Token consisting of followingcomponents: {RSA-generated security token, hash of the services hostingplatform-specific operation ID} where operation ID should be a uniqueidentifier of 2 bytes. The SaaS server 708 forwards the SecurityAuthentication token to a backup and recovery Server 712 in a RequestMessage with the following security parameters {userID, services hostingplatform Auth Token} each of which will be 32-bytes.

At steps 757/757 a the backup server 712 invokes a Security API (whichmay implement Java Security Provider Interface) hosted on dedicatedSecurity App Server 710 to validate services hosting platformAuthentication Token. When the token is verified, the security serverand returns authorizations/privileges/roles via RSA AM (758, 758 a).

In one embodiment the Security API arguments may be in the form of(userID, authToken, activityID) and return value(s) from the API may bea boolean value indicating whether the user is authorized for theactivity and optionally the access rights of the user. For example, thesecurity API may be the Role Based Access Control APIs described above.The Security API may be used to validate that the security token is notexpired and is valid. The Security Server 710 where the Security API ishosted may be coupled via a dedicated VLAN such that the address of theSecurity server is configured by the backup and recovery system.

Referring back to FIG. 9, once the client is authenticated, a keyhandler 504 is invoked to obtain an encryption key for use by theclient. The process of obtaining an encryption key is described in FIG.11.

Key Handler

One feature of the host security service of the present invention is itsability to provide an end-to-end secure path for user data. In anenterprise environment when various tenant users may be geographicallydistributed, key distribution and version management are integral to thesecurity solution. In a storage environment which executes a backup andrecovery services it is important that users which retrieve backed updata have access to the same key that was used to encrypt the backed updata.

FIG. 11 illustrates exemplary software modules that may be included inclient agent and host agent drivers to support key distribution by ahost security service using the services hosting framework of thepresent invention. FIG. 11 will be used to describe an exemplary keydistribution process of a host security service, with steps of theprocess being illustrated by numbered arrows in the figure. Each clientagent, whether an administrator or a user, includes a thin client, a keyaccess API and an RSA LockBox module (a cross-platform toolkit for dataencryption).

For convenience a firewall 820 may perform certain security functionsfor the host security service, although it is not a requirement that afirewall be used. As shown in FIG. 8, the firewall may includefunctionality such as an HTTP Proxy Authentication, Traffic Proxy, SSLAcceleration, SSL Termination, Web App Security (CSS), Load-balancing,among other functions.

The host site 830 is shown to include an RSA Access Manager module 832,an application server 834 including the security service 836, a KeyManagement Service (KMS) 838 and an RSA Key Manager module 840. RSAAccess Manager comprises access management software that enablesorganizations to provide secure access to Web applications withinintranets, extranets, portals and Microsoft Exchange infrastructureswith transparent, SSO (single sign-on) access. RSA Access Manager alsohelps manage multiple user groups while enforcing a centralized accesspolicy that protects enterprise resources from unauthorized access. RSAKey manager includes key lifecycle management capabilities.

The Key Management Service (KMS) 838 is a new service provided as partof the services hosting framework of the present invention. The KeyManagement Service is an optional, use-case independent on demandservice which may be used to generate a new encryption key for a newtenant, securely back-up an encryption key in a secure Vault, distributean encryption key to a user's laptop/desktop where it is stored securelyin a local client side key store and retrieve the encryption key fromthe Vault if the client machine is corrupted over an authenticated HTTPconnection.

The Key Management Service (KMS) may be deployed by the host servicingplatform, a third party site or at a customer site. KMS capabilities areexposed to clients via a use-case independent API. It is anticipatedthat any invocation of the KSM is only permitted followingauthentication and authorization of the calling tenant. To use the KMS,the client should have the ability to store and protect the encryptionkey, for example using an OS/platform independent key store such as RSAlockbox. (RSA lockbox may be deployed to the client as a thin clientside handler during registration for the KMS).

Before accessing any host service, the tenant administrator registerswith the host. During a typical registration process, a customerprovides customer data on registration pages of the host and receives aninvitation from the host to select and customize their service.Following registration, at step 851 the tenant administrator registerswith the host service, authenticates itself via the firewall using aprocess such as that described in more detail in FIG. 10. Followingauthentication, the administrator downloads and installs the securityservice handler, which includes an API to the KMS 838. At steps 852 theclient administrator agent transparently invokes the KMS 838 and at 853the KMS generates the encryption key (either AES-128 or 256-bit) for thetenant, stores the back-up copy of new generated key in RKM 840, and atstep 853 sends back the encryption key to the Agent that is beinginstalled in the Administrator's machine. The key is stored using RSALock Box 804 by the client administrator agent.

At step 854 a new user for the tenant authenticates itself with the hostservice and downloads the thin security service client. At step 855 thesecurity service client retrieves the key for its associated tenant fromVault 838 and stores the key in is RSA Lock Box 816.

Once the key is stored in the client Lock Box 816, the client mayinitiate services which use the key, such as a backup and recoveryservice.

Accordingly a key management and distribution service has been describedthat centralizes key management to enables intelligent encryptionbrokering (by ensuring that tenants always have access to appropriatekeys) as well as intelligent key management (through authentication ofusers).

Usage/Metering Handler

Referring back to FIG. 9, the after a tenant has been authenticated andkeys have been distributed, the tenant is able to use any of the otherplatform, infrastructure or host services that are available on theservices hosting platform. These services are described in detail inFIG. 1. Several of the platform services (such as billing and servicelevel management) involve monitoring the utilization of hostinfrastructure resources. A usage/metering handler 606 may therefore beincluded in the services execution pipeline to provide real time usageinformation.

The usage/metering handler 606 allows for virtual real-time tracking ofmessage exchange and resource utilization. As shown in the TLM datamodel of FIG. 5, usage tracking can be performed on a service,subscription, tenant or user basis. Certain process oriented servicesmust keep track of message exchanges between the client and the SaaSservices; the usage/metering handles enables intermediate messageexchanges to be tracked in real time in order to collect overall usagedata for the particular process. Usage data may be tracked at auser/resource granularity by session tracking using the servicespipeline. As a result, various services, including SLM, TLM and billingservices, can accurately track process flow and resource utilization.

There are various methods that may be used to obtain real time usagedata using the services hosting platform. In one embodiment, when theclient service pipeline is executed, header fields: BACKUP_START (andBACK_END) are inserted into the client HTTP/S message that is forwardedto the host services platform. The host may intercept the HTTP/Smessages, and tracks messages of type=BACKUP_START and BACKUP_END. Thehost may use these indicators to log the events, and track usage betweenreceipt of the messages. It will be appreciated that such a featureallows real-time usage and other statistics to be tracked at both aclient and tenant granularity. Application associated information may beasynchronously aggregated with application independent information totrack resource utilization across multiple tenants.

Thus the usage/metering service may be incorporated into the servicesexecution pipeline to extend any web service. For example, resourceutilization may be monitored to determine when and whether to scale thestorage or increase buffer cache size. Alternatively, the usage trackingmay be used to improve billing and otherwise monitor use of theresources by the particular tenant. Thus the usage/metering service ismerely one example of a platform service that may be re-used by any webservice to enhance the service. In addition it should be noted that byproviding a consistent usage/metering service across the web servicesplatform, cross web service cooperation is facilitated because thecooperating web services can rely on the fact that they are looking atstatistics or other data that is gathered in a consistent fashion.

Logical Routing

A logical routing handler 608 is shown included in the request servicesexecution pipeline 600. The logical routing handler in one embodiment isprovided as an infrastructure service that may be selectivelyincorporated in a services pipeline to decouple the services hostingframework from the storage backend infrastructure. The logical routingservice may be used to transparently relocate customer data for disasterrecovery or de-duplication services and to transparently scale storageprovided for a tenant as the tenant needs increase or decrease.

The logical routing service is an example of a service that iscustomizable on a tenant and user granularity. The logical routingservice can be used to link the application services hosting frameworkto a wide variety of host infrastructures from legacy back ends to gridstorage arrays, disaster recovery platforms, etc. The logical routingservice can be used to scale tenant storage and/or move tenant datawithout modifying other aspects of the tenant's services. The ability todecouple of the back end infrastructure from the application serviceshosting framework facilitates business continuity and increases theoverall value of the platform.

For example FIG. 12 illustrates several exemplary components that may beassociated with a logical routing service. The components may beimplemented in any combination of hardware or software, and may use datastructures that are stored on a computer readable medium in the hostinfrastructure.

The logical routing handler includes or is otherwise coupled to arouting table 900 which is indexed using a Tenant ID/segment index andoutputs an index to a content repository 960. The content repository 960may be a storage device having any configuration, and may be used tomanage both data and metadata. In such an embodiment, the logicalrouting handler may be used to generate an index to the contentrepository, using the metadata.

Although FIG. 12 illustrates a simplified version of a routing table, itis understood that the routing of requests may use any variety ofvariables in determining an appropriate data location. The presentinvention is not concerned with the contents of the routing table, butrather is directed at the notion of abstracting the routing functioninto a logical service handler that may be selectively invoked inaccordance with the needs of an underlying service. For example, adisaster recovery service is one example of a service which wouldbenefit from the use of a logical routing service to transparentlydirect customers to the disaster recovery site in the event of failureat the services hosting data center.

Accordingly an extensible services pipeline and method of building anextensible pipeline to add value to an application service throughaugmentation with platform services in a cost effective manner has beenshown and described. The particular pipeline of FIG. 9 leveragesexisting platform security and privacy services, such as authenticationand authorization services to provide a robust security solution in amulti-tenant SaaS environment.

Although the security and privacy services are shown with regard to aparticular service handler, it should be recognized that the servicesmay be used in a consistent manner to protect content before it isbacked up on the wire, before archiving the content on the wire andbefore storing the content on the wire. Using the security and privacyservices in a consistent manner across different web servicesfacilitates administration while ensuring that data and applications areprotected.

Appliance Content Protection

Referring now to FIGS. 13A, 13B and 13C, it will be recognized that whenthere is a large amount of data to be backed up it is often not feasibleto perform each backup over the wire. As such, backed up data istypically ‘seeded’ with initial data, with incremental backups beingperformed periodically. The seeded data is generally copied, from localstorage, onto a storage appliance which is physically transported to thehost data center.

In addition, because the data set is typically large, the data set ismanaged through indexing. Indexing reduces the amount of time needed tosearch a large database by allowing a file system to search the indexesto identify the particular volume in which data of interest may reside.

It is important that the data that is transported on the appliance issecured prior to transport. Thus the data must be encrypted prior totransport. FIGS. 13A-13C illustrate exemplary processes 2000, 2100 and2200 that may be performed to secure data on an appliance prior totransport of the appliance to a data center. Each process secures dataprior to transport of a seeded data store to the data center. Onedistinction between the processes lies in the fact that in processes2100 and 2200 the key that is used to secure the data never leaves thecustomer site, and thus there is no risk that the content can becompromised at the SaaS data center. As will be described in more detailbelow, one problem with not allowing the key to leave the customer siteis that index of the data set must be generated prior to the encryptionof the data at the customer site. The processes of FIGS. 13B and 13Cprovide mechanisms for indexing at the customer site.

However, in FIG. 13A, during process 2000, at step 2002 a newAES-256-bits encryption key is generated specifically for the customer.At step 2004 The AES-256-bits encryption key is used to encrypt thecontent that has been loaded in the appliance. At step 2006 the customerkey is encrypted using the public key encryption certificate of the KeyManagement Service, for example using an encryption service such as theRSA 2048 bit public encryption algorithm.

The steps 2004 and 2006 will result in protecting both the content thatneeds to be backed-up for seeding the back-up of large capacity datasets at customer site and also protect the backed-up copy of the newlygenerated AES customer encryption key.

At step 2008, the appliance is moved to the data center. On the datacenter side, at step 2010 the private key corresponding to publiccertificate of the Key Management Service is used to decrypt the AES256-bit customer key encryption key. At step 2010 the decrypted customerkey may be backed up and made accessible to the customer via KeyManagement Service for subsequent encryption of content via client-sideback-up and recovery operation at which the client is deployed.

Referring now to FIG. 13B, it is a goal of this process to secure thecustomer data so that the encryption key is not transferred to the datacenter. To accomplish such a feat, the data must be indexed at theclient site prior to encryption using a private key of the client. Theindex can then be passed to the data center (using a secure key known tothe data center) to enable file system manipulation using the indexeswithout compromising data security.

For example, during process 2100, at step 2102 the customer key isgenerated. At step 2104, a client side index handler generates the indexfor the client data, and encrypts the index using a public key. At step2106, the client side encryption handler encrypts the client data usingthe client key and at step 2108 seeded data set, including the encryptedindex and data are forwarded to the SaaS data center. At step 2109 thedata center can decrypt the index information using the public key, anduse this to manipulate the data, while never actually being able to readthe data. With such an arrangement, secure data transport is providedwhich ensures that a customer key is kept local to the customer site.

The process of FIG. 13B is effective when the client is able to easilygenerate the required indices; however, there are many different typesof indices that may be needed by a SaaS service. Content can be indexedusing a variety of methods. For example, content may be indexed based onthe generic and system level aspects of the underlying content. Forexample, an email can be indexed based on sender address, recipientaddress, sending time, MTA address, subject, size, etc. Or on documentindexes, such as type of document, file extensions, etc. size ofdocument, when it was last modified, creator of the document. A secondmethod of indexing involves free text indexing of content, via astandard free text indexing such as Apache Lucene. Another way ofgenerating indexes is based on content schema; i.e., the underlyingstructure of the document. For example, a calendar event, email invite,tax filing, email invite, etc. The structure of the file corresponds tothe schema, where the schema is a data model that represents therelationships between elements of the data set.

The schema is an input to a parser of an indexing engine, as it providescontext for the different elements of the data, i.e., it tells theparser how to interpret the data set. Indexes to the data can then begenerated, where the indexes may be related to the particular schema, ormay use the schema to interpret the data to provide the generic andsystem level, or other types of free text ones.

One problem with this situation is that the schema, while known to theSaaS service, is not generally known by the client. Thus, while theclient has access to the content, it does not necessarily know how togenerate the desired schema indices for the content.

The steps performed by process of FIG. 13C overcome this problem bytransferring the schema to the client, for example as part of an indexclient handler. Thus at step 2202, the private key is generated for thecustomer, and at step 2203 the client retrieves the schema from the SaaSserver. The Schema retrieval request may be in the form of an exposedAPI. At step 2204, the client side uses the schema with the indexhandler to generate indices for the content and encrypts the generatedschema indices using the public key. At step 2206, the compressionhandler compresses the data. At step 2207 the encryption serviceencrypts the compressed data using the private key from step 2202. Thecontent and index can then be transferred to the data center, where atstep 2209 the schema index may be decrypted using the public key andused by the SaaS service.

Various Use Case Embodiments

FIG. 14 illustrates an exemplary host infrastructure in which theservices hosting framework of the present invention may advantageouslybe employed. A Disaster Recovery (DR) solution includes a Host datacenter 1100 and a DR data center 1110. Each data center includes aservices hosting framework and host infrastructure including HostEquipment and Host Managed operations. Customized versions of services1110 are deployed by the clients 1101-1103. Although a storage systemhas been shown and described it should be understood that the serviceshosting framework of the present invention may be adapted for use inmany different service environments.

Although the embodiment of FIG. 14 illustrates a number of trusted dataservices that may be associated with the host infrastructure, it shouldbe understood that the services hosting framework is not limited to anyparticular type of services. Rather, as discussed above, the serviceshosting framework of the present invention is extensible and can readilyintegrate new services as they become available from a host, partner orother source.

Referring now to FIG. 15, an example of an IT service that may be addedas the extensible service 15 of the services hosting framework of FIG. 1is an email management service 1230. Email management services include amailbox management component 1232, a message archiving component 1234, amessage security component 1236 and a disaster recovery component 1238.As shown in FIG. 12, the email management service includes a hostcomponent 1230 and a tenant component 1200.

The generic SaaS tenant appliance 1200 includes a SaaS User Interface(UI) agent framework that is deployed at the tenant equipment formanaging the services for which the client has registered, where, asmentioned above the client side framework agent may be comprised ofclient invocation pipelines invoking SaaS handlers and client sidehandlers. For an web email service the appliance or agent 120facilitates transfer of email from the tenant site to the email service1230 that is provided by the platform 1250. The platform forwards themessage to the destination while archiving the message using anarchiving service 1234. In addition, the platform may also invoke asecurity service 1236 to authenticate the messaging client, and invokesmailbox management services to properly store the message.

According to one aspect of the invention, and IT service, such as anemail management service may be exposed to the client by providing APIsto the components of the service. Thus, in the embodiment of FIG. 14,the services hosting framework could expose a mail box management API,message archiving API, message security API and email disaster recoveryAPI to the tenant, enabling the tenant to enable the tenant to use theservices. In the event that the email management service 1230 isupdated, and more services are provided, the APIs to those serviceswould also be provided to the tenant.

As shown in FIG. 14, the email services 1230 may also utilize securityand privacy services 1240 such as business continuity service 1242 andKey Management Service 1244 to protect access to data. For example, inthe event of that the failure of the appliance 1210 or the networkconnection 1225 makes the tenant unable to access the local copy ofemail, the email can still be retrieved from the archive using the APIsassociated with business continuity service 1220.

In addition to the business continuity service, the email managementservices may also use the Key Management Service 1244 to storeencryption keys that secure the emails. As described above with regardto FIGS. 10 and 11, the encryption keys may be retrieved and storedlocally in a lockbox of the tenant for email decryption.

Accordingly an extensible services hosting framework has been shown anddescribed which facilitates the dynamic deployment of customizedservices in a multi-tenant environment and enables multi-organizationpersonalization. New and legacy services may easily be integrated into ahost infrastructure by exposing associated APIs to the tenants. Any ofthe services may take advantage of existing protection, infrastructureand platform services to enhance the performance and capabilities oftheir services.

Having described various embodiments of the invention, it will beappreciated that many of the above figures are flowchart illustrationsof methods, apparatus (systems) and computer program products accordingto an embodiment of the invention. It will be understood that each blockof the flowchart illustrations, and combinations of blocks in theflowchart illustrations, can be implemented by computer programinstructions. These computer program instructions may be loaded onto acomputer or other programmable data processing apparatus to produce amachine, such that the instructions which execute on the computer orother programmable data processing apparatus create means forimplementing the functions specified in the flowchart block or blocks.These computer program instructions may also be stored in acomputer-readable memory that can direct a computer or otherprogrammable data processing apparatus to function in a particularmanner, such that the instructions stored in the computer-readablememory produce an article of manufacture including instruction meanswhich implement the function specified in the flowchart block or blocks.The computer program instructions may also be loaded onto a computer orother programmable data processing apparatus to cause a series ofoperational steps to be performed on the computer or other programmableapparatus to produce a computer implemented process such that theinstructions which execute on the computer or other programmableapparatus provide steps for implementing the functions specified in theflowchart block or blocks.

Those skilled in the art should readily appreciate that programsdefining the functions of the present invention can be delivered to acomputer in many forms; including, but not limited to: (a) informationpermanently stored on non-writable storage media (e.g. read only memorydevices within a computer such as ROM or CD-ROM disks readable by acomputer I/O attachment); (b) information alterably stored on writablestorage media (e.g. floppy disks and hard drives); or (c) informationconveyed to a computer through communication media for example usingbaseband signaling or broadband signaling techniques, including carrierwave signaling techniques, such as over computer or telephone networksvia a modem

The above description and figures have included various process stepsand components that are illustrative of operations that are performed bythe present invention. However, although certain components and stepshave been described, it is understood that the descriptions arerepresentative only, other functional delineations or additional stepsand components can be added by one of skill in the art, and thus thepresent invention should not be limited to the specific embodimentsdisclosed. In addition it is understood that the variousrepresentational elements may be implemented in hardware, softwarerunning on a computer, or a combination thereof.

While the invention is described through the above exemplaryembodiments, it will be understood by those of ordinary skill in the artthat modification to and variation of the illustrated embodiments may bemade without departing from the inventive concepts herein disclosed.Accordingly, the invention should not be viewed as limited except by thescope and spirit of the appended claims.

1. (canceled)
 2. A method of seeding a storage device at a host datacenter with tenant data received encrypted on a storage medium includesthe steps of: extracting an encrypted custom key from the storagemedium; decrypting the encrypted custom key using a private certificateassociated with a Vault Service of the host data center; storing thedecrypted custom key for the tenant by the Vault Service; and decryptingthe tenant data using the decrypted custom key. 3-9. (canceled)
 10. Themethod according to claim 2, further comprising: generating a customkey; generating an index of the tenant data; encrypting the index usinga public key; encrypting the tenant data using the custom key to provideencrypted tenant data; and forwarding the encrypted tenant data togetherwith the encrypted index to the host data center to enable the host todecrypt the encrypted index using the public key and manipulate theencrypted tenant data using the decrypted index.
 11. The methodaccording to claim 10, wherein generating the index of the tenant datauses underlying content of the tenant data.
 12. The method according toclaim 10, wherein generating the index of the tenant data uses free textindexing.
 13. The method of claim 10, wherein generating the index oftenant data uses a schema downloaded from the host prior to indexing thetenant data.
 14. A host platform, comprising: a storage device forstoring encrypted tenant data and an encrypted index to the encryptedtenant data, wherein the encrypted tenant data and the encrypted indexto the tenant data are encrypted using different keys; and a computerreadable storage medium having program code stored thereon operable whenexecuted by a processor of the host platform to provide a service to acustomer associated with the encrypted tenant data using the decryptedindex of the tenant data.
 15. The host platform of claim 14, wherein akey used to encrypt the tenant data is unavailable to the host platform.16. The host platform of claim 14, wherein a key used to encrypt thetenant data is stored by a vault service of the host platform.
 17. Acomputer readable storage medium storing computer software seeds astorage device at a host data center with tenant data receivedencrypted, the computer software comprising: executable code thatextracts an encrypted custom key from the storage medium; executablecode that decrypts the encrypted custom key using a private certificateassociated with a vault service of the host data center; executable codethat stores the decrypted custom key for the tenant by the vaultservice; and executable code that decrypts the tenant data using thedecrypted custom key.
 18. The computer readable storage medium accordingto claim 17, further comprising: executable code that generates a customkey that is unencrypted; executable code that generates an index of thetenant data; executable code that encrypts the index using a public key;executable code that encrypts the tenant data using the custom key toprovide encrypted tenant data; and executable code that forwards theencrypted tenant data together with the encrypted index to the host datacenter to enable the host to decrypt the encrypted index using thepublic key and manipulate the encrypted tenant data using the decryptedindex.
 19. The computer readable storage medium according to claim 17,wherein the executable code that generates the index of the tenant dataincludes executable code that uses underlying content of the tenantdata.
 20. The computer readable storage medium according to claim 17,wherein the executable code that generates the index of the tenant dataincludes executable code that uses free text indexing.
 21. The computerreadable storage medium according to claim 17, wherein the executablecode that generates the index of tenant data includes executable codethat uses a schema downloaded from the host prior to indexing the tenantdata.